search

louiswi / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

Problem with argument handling #120

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
1. What operating system are you using (Linux is the only supported OS)?

  Openwrt r29701

  Reaver r83 seems to have issues with the way arguments are handled. Some ordering may cause a crash.

root@ecke:/tmp# reaver -vv -c 11 -b 00:13:10:14:EB:8F -i wlan0

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Switching (null) to channel 11
Segmentation fault
root@ecke:/tmp# reaver -i wlan0 -b 00:13:10:14:EB:8F -c 11 -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

[+] Waiting for beacon from 00:13:10:14:EB:8F
[+] Switching wlan0 to channel 11
[!] WARNING: Failed to associate with 00:13:10:14:EB:8F (ESSID: xxx)
[!] WARNING: Failed to associate with 00:13:10:14:EB:8F (ESSID: xxx)
^C
[+] Nothing done, nothing to save.

Original issue reported on code.google.com by annemarc...@gmail.com on 10 Jan 2012 at 1:18

GoogleCodeExporter commented 8 years ago 
openwrt is not currently a supported platform. This issue does not occur in 
non-embedded Linux distros.

Rolling this into issue 46 (add support for openwrt).

Original comment by cheff...@tacnetsol.com on 10 Jan 2012 at 5:43

GoogleCodeExporter commented 8 years ago 
hi cheff this is not just a issue in openwrt

$uname -a
Linux cell 2.6.38-13-generic #53-Ubuntu SMP Mon Nov 28 19:33:45 UTC 2011 x86_64 
x86_64 x86_64 GNU/Linux

$sudo strace reaver -c 6 -i mon0 -b 58:6D:8F:73:0F:F6 -vv
execve("/usr/local/bin/reaver", ["reaver", "-c", "6", "-i", "mon0", "-b", 
"58:6D:8F:73:0F:F6", "-vv"], [/* 18 vars */]) = 0
brk(0)                                  = 0xa89000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f126eb2e000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=140227, ...}) = 0
mmap(NULL, 140227, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f126eb0b000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\0\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14696, ...}) = 0
mmap(NULL, 2109720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7f126e70c000
mprotect(0x7f126e70e000, 2097152, PROT_NONE) = 0
mmap(0x7f126e90e000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f126e90e000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360>\0\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=543104, ...}) = 0
mmap(NULL, 2638136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7f126e487000
mprotect(0x7f126e50b000, 2093056, PROT_NONE) = 0
mmap(0x7f126e70a000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x83000) = 0x7f126e70a000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/usr/lib/libpcap.so.0.8", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360M\0\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=220512, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f126eb0a000
mmap(NULL, 2318848, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7f126e250000
mprotect(0x7f126e284000, 2097152, PROT_NONE) = 0
mmap(0x7f126e484000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x34000) = 0x7f126e484000
mmap(0x7f126e486000, 512, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f126e486000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/usr/lib/x86_64-linux-gnu/libsqlite3.so.0", O_RDONLY) = 3
read(3, 
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\204\0\0\0\0\0\0"..., 832) = 
832
fstat(3, {st_mode=S_IFREG|0644, st_size=626520, ...}) = 0
mmap(NULL, 2723096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7f126dfb7000
mprotect(0x7f126e04d000, 2093056, PROT_NONE) = 0
mmap(0x7f126e24c000, 16384, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x95000) = 0x7f126e24c000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\360\1\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1638120, ...}) = 0
mmap(NULL, 3749080, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7f126dc23000
mprotect(0x7f126ddad000, 2093056, PROT_NONE) = 0
mmap(0x7f126dfac000, 20480, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x189000) = 0x7f126dfac000
mmap(0x7f126dfb1000, 21720, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f126dfb1000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\\\0\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=140254, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f126eb09000
mmap(NULL, 2217000, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7f126da05000
mprotect(0x7f126da1d000, 2097152, PROT_NONE) = 0
mmap(0x7f126dc1d000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18000) = 0x7f126dc1d000
mmap(0x7f126dc1f000, 13352, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f126dc1f000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f126eb08000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f126eb06000
arch_prctl(ARCH_SET_FS, 0x7f126eb06720) = 0
mprotect(0x7f126dc1d000, 4096, PROT_READ) = 0
mprotect(0x7f126dfac000, 16384, PROT_READ) = 0
mprotect(0x7f126e24c000, 8192, PROT_READ) = 0
mprotect(0x7f126e484000, 4096, PROT_READ) = 0
mprotect(0x7f126e70a000, 4096, PROT_READ) = 0
mprotect(0x7f126e90e000, 4096, PROT_READ) = 0
mprotect(0x641000, 4096, PROT_READ)     = 0
mprotect(0x7f126eb30000, 4096, PROT_READ) = 0
munmap(0x7f126eb0b000, 140227)          = 0
set_tid_address(0x7f126eb069f0)         = 8660
set_robust_list(0x7f126eb06a00, 0x18)   = 0
futex(0x7fff76bc986c, FUTEX_WAKE_PRIVATE, 1) = 0
futex(0x7fff76bc986c, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 
7f126eb06720) = -1 EAGAIN (Resource temporarily unavailable)
rt_sigaction(SIGRTMIN, {0x7f126da0a740, [], SA_RESTORER|SA_SIGINFO, 
0x7f126da14c60}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7f126da0a7d0, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 
0x7f126da14c60}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
brk(0)                                  = 0xa89000
brk(0xabf000)                           = 0xabf000
stat("/usr/local/etc/reaver/reaver.db", {st_mode=S_IFREG|0666, st_size=14336, 
...}) = 0
open("/usr/local/etc/reaver/reaver.db", O_RDWR|O_CREAT, 0644) = 3
fcntl(3, F_GETFD)                       = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
fstat(3, {st_mode=S_IFREG|0666, st_size=14336, ...}) = 0
lseek(3, 0, SEEK_SET)                   = 0
read(3, "SQLite format 3\0\4\0\1\1\0@  \0\3-\252\0\0\0\16"..., 100) = 100
write(2, "\nReaver v1.4 WiFi Protected Setu"..., 46
Reaver v1.4 WiFi Protected Setup Attack Tool
) = 46
write(2, "Copyright (c) 2011, Tactical Net"..., 88Copyright (c) 2011, Tactical 
Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

) = 88
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

if I run reaver and give -c befor -i then reaver tries to switch channel but it 
does not know the interface yet ... sorry for my bad english 

argsparser.c line 104
                        case 'c':
                change_channel(strtod(optarg, NULL));    // reaver -c 6 -i mon0 -b xx:xx...   interface is NULL in this case

Original comment by mich4th3...@googlemail.com on 10 Jan 2012 at 6:38

GoogleCodeExporter commented 8 years ago 
This isn't limited to openwrt, but a generic issue with the way arguments are 
handled.

diff to fix channel and interface handling below, other arguments may require 
further changes

--- argsparser.c.old    2012-01-11 09:15:16.000000000 +0100
+++ argsparser.c        2012-01-11 09:22:37.000000000 +0100
@@ -39,6 +39,12 @@
        int ret_val = EXIT_SUCCESS;
        int c = 0;
        int long_opt_index = 0;
+
+       int config_channel = 0;
+       int channel = 0;
+       int config_iface = 0;
+       char *iface;
+
        char bssid[MAC_ADDR_LEN] = { 0 };
        char mac[MAC_ADDR_LEN] = { 0 };
        char *short_options = "b:e:m:i:t:d:c:T:x:r:g:l:o:p:s:aA5ELfnqvDShw";
@@ -82,7 +88,9 @@
                 switch(c)
                 {
                         case 'i':
-                                set_iface(optarg);
+/*                                set_iface(optarg); */
+                               config_iface = 1;
+                               iface = strdup(optarg);
                                 break;
                         case 'b':
                                 str2mac((unsigned char *) optarg, (unsigned char *) &bssid);
@@ -102,8 +110,10 @@
                                 set_m57_timeout(strtof(optarg, NULL) * SEC_TO_US);
                                 break;
                         case 'c':
-                                change_channel(strtod(optarg, NULL));
-                                set_fixed_channel(1);
+/*                                change_channel(strtod(optarg, NULL)); */
+/*                                set_fixed_channel(1); */
+                               config_channel = 1;
+                               channel = strtod(optarg, NULL);
                                 break;
                         case '5':
                                 set_wifi_band(AN_BAND);
@@ -170,6 +180,17 @@
                 }
         }

+       if (config_iface != 0)
+               {
+               set_iface(iface);
+               }
+
+       if (config_channel != 0)
+               {
+               change_channel(channel);
+               set_fixed_channel(1);
+               }
+
        return ret_val;
 }

Original comment by annemarc...@gmail.com on 11 Jan 2012 at 8:33

GoogleCodeExporter commented 8 years ago 
Ah, sorry! Thanks for the patch, fixed now.

Original comment by cheff...@tacnetsol.com on 12 Jan 2012 at 12:36

GoogleCodeExporter commented 8 years ago 
Thank you :)

Original comment by annemarc...@gmail.com on 13 Jan 2012 at 5:38